B0r0nt0K ransomware targets Windows & Linux users; demands 20 bitcoin in ransom

News by Jay Jay

A new ransomware has been found in the wild that targets systems running both Linux and Windows platforms and demands 20 bitcoin (£57,750) to decrypt hijacked websites belonging to victims.

A new ransomware has been found in the wild that targets systems running both Linux and Windows platforms and demands 20 bitcoin (£57,750) to decrypt hijacked websites belonging to victims.
Dubbed B0r0nt0K, the new ransomware encrypts a victim's file before demanding ransom, then also renames encrypted files with .rontok extension after making the file undergo Base64 encoding and URL encoding. After the ransomware takes over a targeted device, the victim is asked to pay 20 bitcoin in ransom by visiting https://borontok.uk.
Recently, security researchers at Trend Micro discovered a variant of the JobCrypter ransomware in the wild that also encoded victims' files to Base64 not once, but twice before sending screenshots of infected devices' desktops to an email address via SMTP and changing the wallpaper of infected devices to include the ransom note.
According to the researchers, the new variant "encodes all the file’s content to Base64 and encrypts the encoded content with Triple DES algorithm, and then encodes the encrypted file again to Base64. It also prepends the ransom note with the encrypted file instead of dropping another file in the system as most ransomware routines do before it finally deletes the original file in the drive".
As of now, not much is known about B0r0nt0K ransomware as it surfaced very recently and it is not known what technique the malware author is employing to inject the ransomware into victims' devices. However, having carried out an analysis of the malware, Gavin Millard, vice president of Intelligence at Tenable, said that it could be a test bed for a future attack.
"It’s difficult to know for certain how many have fallen victim to B0r0nt0k, however the bitcoin wallet currently has zero transactions. Criminals tend to set the ransom at a palatable level where it’s often easier or cost-effective to pay instead of having to spend time restoring items from backup. 
"In this case, either the ransomware was intended to be far more corrosive, thereby warranting the large fee, or the threat actor has another motive for infecting users – for example the malware is a test bed for a future attack. Time will tell," he said.
Millard told SC Magazine UK that in order to prevent their devices from being exposed to the ransomware, organisations must close the holes that these infections crawl through by practising basic cyber-hygiene to address their cyber-exposure.
"They must focus on good visibility into what assets are connected to their networks, determine where they’re vulnerable to popular attack vectors leveraged by ransomware authors and then either patch or protect assets that matter," he added.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming event